Last August 28, 2014 was officially published, in the Official Journal of the European Union the expected updated regulation on electronic signature and digital trust: European Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
The standard has also been published in the BOE: Regulation 910/2014 on Electronic Signature.
It is a rule that applies directly in all the states of the European Union and repeals its existing regulations on electronic signatures, since they were developed within the framework of Directive 1999/93/EC, which is expressly repealed. It comes into force on September 17, 2014, with some aspects that will be mandatory in a staggered manner, most of them on July 1, 2016, others on September 17, 2014 and others depending on the date of publication of the so-called “implementing acts”, complementary regulations of the European Union or developments of the member states.
This is the final text of the Regulation:
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
Having regard to the proposal from the European Commission, After transmission of the proposal for a legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
Acting in accordance with the ordinary legislative procedure (2),
Acting in accordance with the ordinary legislative procedure (2), Whereas:
(1)
(1) The creation of a climate of trust in the online environment is essential for economic and social development. (1) The creation of a climate of trust in the online environment is essential for economic and social development. Mistrust, in particular due to perceived legal uncertainty, makes consumers, businesses and public administrations hesitant to carry out transactions electronically and to adopt new services.
(2)
This Regulation aims to enhance trust and confidence in electronic transactions in the internal market by providing a common basis for secure electronic interactions between citizens, businesses and public administrations and thereby increasing the effectiveness of public and private online services, e-business and e-commerce in the Union.
(3)
Directive 1999/93/EC of the European Parliament and of the Council (3) concerns electronic signatures, without providing a comprehensive cross-border and cross-sectoral framework to ensure secure, reliable and user-friendly electronic transactions. This Regulation reinforces and extends the acquis represented by that Directive.
(4)
The Commission Communication of 26 August 2010 entitled “A Digital Agenda for Europe” noted that fragmentation of the digital market, lack of interoperability and increasing cybercrime were major obstacles to the virtuous cycle of the digital economy. In its 2010 citizenship report, entitled “Removing obstacles to EU citizens’ rights”, the Commission also stressed the need to address the main problems that prevent EU citizens from enjoying the benefits of a digital single market and cross-border digital services.
(5)
In its conclusions of 4 February 2011 and 23 October 2011, the European Council invited the Commission to create a digital single market by 2015 in order to make rapid progress in key areas of the digital economy and to promote a fully integrated digital single market by facilitating cross-border use of online services, with a particular focus on secure electronic identification and authentication.
(6)
In its conclusions of 27 May 2011 the Council invited the Commission to contribute to the digital single market by creating appropriate conditions for mutual recognition across borders of key instruments such as electronic identification, electronic documents, electronic signatures and electronic delivery services, as well as for interoperable eGovernment services across the European Union.
(7)
The European Parliament, in its Resolution of 21 September 2010 on completing the internal market for e-commerce (4), underlined the importance of the security of electronic services, especially electronic signatures, and the need to create a pan-European public key infrastructure, and called on the Commission to establish a European validation authority gateway to ensure cross-border interoperability of electronic signatures and to increase the security of transactions carried out over the Internet.
(8)
Directive 2006/123/EC of the European Parliament and of the Council (5) requires Member States to establish “points of single contact” to ensure that all procedures and formalities relating to access to a service activity and to the exercise thereof can be easily carried out, at a distance and by electronic means, through the appropriate single point of contact and with the competent authorities. However, many online services accessible through single points of contact require electronic identification, authentication and signature.
(9)
In most cases, citizens of one Member State cannot use their electronic identification to authenticate themselves in another Member State because the national electronic identification systems in their country are not recognized in other Member States. Such an electronic barrier excludes service providers from fully enjoying the benefits of the internal market. Mutually recognized means of electronic identification will facilitate the cross-border provision of many services in the internal market and enable businesses to operate across borders without encountering obstacles in their interaction with public authorities.
(10)
Directive 2011/24/EU of the European Parliament and of the Council (6) establishes a network of national authorities in charge of e-health. In order to improve the security and continuity of cross-border healthcare, this network is requested to develop guidelines on cross-border access to eHealth data and services, in particular by supporting “common identification and authentication measures to facilitate the transferability of data in cross-border healthcare”. Mutual recognition of electronic identification and authentication is essential to make cross-border healthcare for European citizens a reality. When a person travels for treatment, his or her medical data must be accessible in the country providing the treatment. This requires a robust, secure and reliable electronic identification framework.
(11)
This Regulation should be implemented in such a way as to comply fully with the principles relating to the protection of personal data as laid down in Directive 95/46/EC of the European Parliament and of the Council (7). To that end, having regard to the principle of mutual recognition laid down in this Regulation, authentication for the purposes of an online service should only involve the processing of identification data which are adequate, relevant and not excessive for granting access to the online service concerned. Moreover, trust service providers and the supervisory body should also respect the confidentiality and security of processing requirements provided for in Directive 95/46/EC.
(12)
One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States for authentication at least in public services. This Regulation does not intend to intervene in the electronic identity management systems and related infrastructures established in the Member States. Its purpose is to ensure that secure electronic identification and authentication are possible for access to cross-border online services offered by the Member States.
(13)
Member States should remain free to use or introduce, for the purposes of electronic identification, means of accessing online services. They should also be able to decide whether or not to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification systems to the Commission. It is up to Member States to decide whether to notify all, some or none of the electronic identification schemes used at national level for access to at least public online services or specific services.
(14)
Certain conditions should be laid down in this Regulation as to which means of electronic identification have to be recognized and how the systems are to be notified. This would help each Member State to acquire the necessary confidence in each other’s electronic identification schemes and to mutually recognize the electronic identification means of the notified schemes. The principle of mutual recognition should apply if the electronic identification system of the notifying Member State meets the conditions for notification and the notification has been published in the Official Journal of the European Union. However, the principle of mutual recognition should relate only to authentication for the purposes of an online service. Access to such online services and their final provision to the applicant should be closely linked to the right to receive such services under the conditions laid down by national law.
(15)
The obligation to recognise electronic identification means should relate only to means whose level of identity security corresponds to a level equal to or higher than that required for the online service concerned. Moreover, the obligation should apply only where the public sector body concerned uses the “substantial” or “high” level of security for access to that online service. Member States should have the possibility, in accordance with Union law, to recognize electronic identification means with lower levels of certainty of identity.
(16)
Security levels should characterise the degree of confidence of an electronic identification means to establish the identity of a person, thus ensuring that the person claiming to possess a given identity is in fact the person to whom that identity has been attributed. The level of security depends on the degree of confidence that this electronic identification means provides about the identity claimed or declared by a person, taking into account the technical procedures (e.g., proof and verification of identity, authentication), the management activities (such as the entity issuing the electronic identification means, the procedure for issuing such means) and the controls applied. As a result of standardization activities and international activities of the Union’s funding of large-scale pilot projects, there are several definitions and technical descriptions of security levels. In particular, the STORK and ISO 29115 large-scale pilot projects refer, inter alia, to levels 2, 3 and 4 which should be taken into account to the maximum extent possible in establishing the minimum technical requirements, standards and procedures for low, substantial and high security levels within the meaning of this Regulation, while ensuring the consistent application of this Regulation, in particular with regard to the high security level in relation to identity accreditation for the issuance of qualified certificates. The requirements to be established should be technologically neutral. It should be possible to meet the necessary security requirements by means of various technologies.
(17)
Member States should encourage the private sector to make voluntary use of electronic identification means covered by a notified system for identification purposes where this is necessary for online services or electronic transactions. The possibility of using such electronic identification means would allow the private sector to make use of electronic identification and authentication already widely used in many Member States, at least for public services, and to facilitate the access of businesses and citizens to their online services across borders. In order to facilitate the use by the private sector of such means of electronic identification across borders, the possibility of authentication offered by any Member State should be available to private sector user parties established outside the territory of that Member State under the same conditions applied to private sector user parties established within that Member State. Consequently, as regards private sector user parties, the notifying Member State may define conditions of access to the means of authentication. Such access conditions may provide information on whether at a given moment the authentication means related to the notified system are available to the private sector user parties.
(18)
This Regulation establishes the liability of the notifying Member State, of the party issuing the electronic identification means and of the party carrying out the authentication procedure in the event of failure to comply with the relevant obligations provided for in this Regulation. However, this Regulation should be applied in line with national rules on liability. It should therefore not affect such national rules, for example on the definition of damages or on the applicable procedural rules, including the burden of proof.
(19)
The security of electronic identification schemes is essential for confidence in the mutual cross-border recognition of electronic identification means. To this end, Member States should cooperate on the security and interoperability of electronic identification schemes at Union level. Where electronic identification schemes may require the use of specific hardware or software by user parties at national level, cross-border interoperability requires that Member States should not impose such requirements and associated costs on user parties established outside their territory. In such a case, appropriate solutions must be discussed and developed within the scope of the interoperability framework. However, technical requirements arising from the intrinsic specifications of national electronic identification means (e.g. smart cards) are unavoidable and may affect the holders of these electronic means.
(20)
The cooperation of the Member States should contribute to the technical interoperability of notified electronic identification schemes with a view to promoting a high level of trust and security, adapted to the degree of risk. The exchange of information and best practices between Member States with a view to their mutual recognition should facilitate such cooperation.
(21)
This Regulation should also establish a general legal framework for the use of trust services. However, it should not create a general obligation to use them or to install an access point for all existing trust services. In particular, it should not cover the provision of services used exclusively within closed systems between a defined set of participants, which have no effect on third parties. For example, systems set up in companies or public administrations to manage internal procedures making use of trust services should not be subject to the obligations of this Regulation. Only trust services provided to the public which have effects on third parties should comply with the obligations laid down in this Regulation. Nor should this Regulation regulate aspects relating to the conclusion and validity of contracts or other legal obligations where there are formal requirements laid down by national or Union law. On the other hand, it should not affect national format requirements for public registers, in particular commercial and land registers.
(22)
In order to contribute to the general cross-border use of trust services, it should be possible to use them as evidence in legal proceedings in all Member States. It is for national law to define the legal effects of trust services, unless otherwise provided for in this Regulation.
(23)
To the extent that this Regulation creates an obligation to recognise a trust service, such a trust service may not be recognised unless the recipient is unable to read or verify it for technical reasons over which the recipient has no immediate control. However, this obligation should not in turn require a public body to obtain the necessary hardware and software for the technical readability of all existing trust services.
(24)
Member States may maintain or introduce national provisions, consistent with Union law, concerning trust services, provided that such services are not fully harmonized by this Regulation. However, trust products and services which comply with this Regulation should be able to circulate freely within the internal market.
(25)
Member States should remain free to define other types of trust services, in addition to those forming part of the closed list of trust services provided for in this Regulation, for the purpose of their recognition at national level as qualified trust services.
(26)
In view of the rapid evolution of technology, this Regulation should adopt an approach open to innovation.
(27)
This Regulation should be technology neutral. The legal effects which it confers should be capable of being achieved by any technical means, provided that the requirements laid down in this Regulation are met.
(28)
In order to enhance in particular the confidence of small and medium-sized enterprises and consumers in the internal market and to promote the use of trust services and trust products, the concepts of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations ensuring a high level of security of any qualified trust service or trust product provided or used.
(29)
In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, adopted by Council Decision 2010/48/EC (8), in particular Article 9 of the Convention, persons with disabilities should be able to use the trust services and end-user products used in the provision of these services on an equal basis with other consumers. Therefore, whenever feasible, the trust services provided and the end-user products used in the provision of these services should be made accessible to persons with disabilities. The feasibility assessment should include, among other aspects, technical and economic considerations.
(30)
Member States should designate one or more supervisory bodies to carry out the supervisory activities provided for in this Regulation. Member States should also be able to decide, by mutual agreement with another Member State, to designate a supervisory body within the territory of that other Member State.
(31)
Supervisory bodies should cooperate with data protection authorities, for example by informing them of the results of audits of qualified trust service providers, in the event that personal data protection rules are found to have been infringed. The provision of information should include, in particular, security incidents and personal data breaches.
(32)
All trust service providers should be responsible for implementing good security practices appropriate to the risks associated with their activities in order to promote user confidence in the single market.
(33)
Provisions concerning the use of pseudonyms in certificates should not prevent Member States from requiring the identification of persons in accordance with national or Union law.
(34)
All Member States should follow common essential oversight requirements in order to ensure an equivalent level of security of qualified trust services. In order to facilitate the consistent application of these requirements across the Union, Member States should adopt comparable procedures and exchange information on their supervisory activities and best practices in this field.
(35)
All trust service providers should be subject to the requirements of this Regulation, in particular on security and liability, to ensure due diligence, transparency and accountability in relation to their operations and services. However, taking into account the type of services provided by trust service providers, it is appropriate to distinguish, insofar as these requirements are concerned, between qualified and non-qualified trust service providers.
(36)
The establishment of a supervisory regime for all trust service providers should ensure a level playing field in terms of security and accountability for their operations and services, thus contributing to the protection of users and the functioning of the internal market. Non-qualified trust service providers should be subject to a light, reactive and ex-post type of supervision and justified according to the nature of their services and operations. Therefore, the supervisory body should not have a general obligation to supervise non-qualified service providers. The supervisory body should act only when it is informed (e.g. by the non-qualified trust service provider itself, by notification from a user or a business partner, or through its own investigations) that a non-qualified trust service provider does not comply with the requirements of this Regulation.
(37)
This Regulation should establish the liability of all trust service providers. In particular, it establishes the liability regime under which all trust service providers should be liable for damage caused to any natural or legal person as a result of their failure to comply with their obligations under this Regulation. In order to facilitate the assessment of the financial risk that trust service providers may have to bear, or that they should cover by insurance policies, this Regulation allows trust service providers to establish limitations, in certain circumstances, on the use of the services they provide and to exempt them from liability for damages resulting from the use of services exceeding those limitations. Customers should be duly informed of these limitations in advance. Such limitations must be recognizable to third parties, e.g. by including information to this effect in the general terms and conditions of the service provided or by other recognizable means. In order to give effect to these principles, this Regulation should be applied in accordance with national rules on liability. This Regulation should therefore not affect such national rules, for example those relating to the definition of damage, intent, negligence or the relevant applicable procedural rules.
(38)
Notification of safety breaches and safety risk assessments is essential in order to provide adequate information to the parties involved in the event of a safety breach or loss of integrity.
(39)
In order to enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, the supervisory bodies should provide summary information to the Commission and the European Union Agency for Network and Information Security (ENISA).
(40)
In order to enable the Commission and the Member States to assess the effectiveness of the enhanced supervisory mechanism introduced by this Regulation, supervisory bodies should be required to report on their activities. This would be instrumental in facilitating the exchange of best practices between supervisory bodies and would ensure verification that the essential supervisory requirements are applied in a consistent and efficient manner in all Member States.
(41)
In order to ensure the sustainability and durability of qualified trust services and to enhance users’ confidence in the continuity of such services, supervisory bodies should verify the existence and proper implementation of provisions for termination plans in the event that qualified trust service providers cease their activities.
(42)
In order to facilitate the supervision of qualified trust service providers, for example where a provider provides its services in the territory of another Member State and is not subject to supervision there, or where a provider’s authorising officers are located in the territory of a Member State other than the one in which it is established, a system of mutual assistance between the supervisory bodies of the Member States should be set up.
(43)
In order to ensure compliance of qualified trust service providers and the services they provide with the requirements of this Regulation, conformity assessment bodies should carry out conformity assessments, and qualified trust service providers should transmit the conformity assessment reports to the supervisory body. Whenever the supervisory body requires a qualified trust service provider to submit an ad hoc conformity assessment report, the supervisory body should observe, in particular, the principle of good administration, including the obligation to give reasons for its decisions, as well as the principle of proportionality. The supervisory body should therefore duly justify any decision requiring an ad hoc conformity assessment.
(44)
The purpose of this Regulation is to provide a coherent framework with a view to ensuring a high level of safety and legal certainty for trust services. In this regard, the Commission, when examining the conformity assessment of products and services, should seek, where appropriate, to establish synergies with relevant European and international systems, such as Regulation (EC) No 765/2008 of the European Parliament and of the Council (9) setting out the requirements for the accreditation of conformity assessment and product market surveillance bodies.
(45)
In order to enable an efficient start-up process, leading to the inclusion of qualified trust service providers and the qualified trust services they provide in trusted lists, preliminary interactions between candidate qualified trust service providers and the competent supervisory body should be encouraged with a view to facilitating due diligence leading to the provision of qualified trust services.
(46)
Trusted lists are essential elements in building confidence among market operators as they indicate the qualification of the service provider at the time of supervision.
(47)
Trust in online services and the convenience of these services are essential if users are to take full advantage of them and consciously trust e-services. To this end, an “EU” trust label should be created to identify qualified trust services provided by qualified trust service providers. This “EU” trust label for qualified trust services would clearly differentiate qualified trust services from other trust services, thus contributing to improved market transparency. The use of an “EU” trust label by qualified trust service providers is voluntary and should not imply any requirements other than those set out in this Regulation.
(48)
While a high level of security is necessary to ensure mutual recognition of electronic signatures, in certain cases, such as for example in the context of Commission Decision 2009/767/EC (10), electronic signatures which have a lower assurance of security should also be accepted.
(49)
This Regulation should establish the principle that the legal effect of an electronic signature should not be denied on the sole ground that it is an electronic signature or that it does not meet all the requirements of a qualified electronic signature. However, it is for national law to determine the legal effects of electronic signatures in the Member States, except for the requirements laid down in this Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.
(50)
As competent authorities in the Member States currently use different advanced electronic signature formats to electronically sign their documents, it is necessary to ensure that Member States can technically support at least one set of advanced electronic signature formats when receiving electronically signed documents. Similarly, where the competent authorities of the Member States use advanced electronic seals, it would be necessary to ensure that they support at least a range of advanced electronic seal formats.
(51)
It should be possible for the signatory to entrust qualified electronic signature creation devices to a third party, provided that appropriate procedures and mechanisms are in place to ensure that the signatory has sole control over the use of his electronic signature creation data and that the use of the device complies with the requirements for qualified electronic signatures.
(52)
Because of its many economic advantages, remote electronic signature creation should be developed in an electronic signature creation environment managed by a trusted service provider on behalf of the signatory. However, in order to ensure that these electronic signatures obtain the same legal recognition as electronic signatures created in a fully user-managed environment, providers offering remote electronic signature services should implement specific management and administrative security procedures and use trusted systems and products, including secure electronic communication channels to ensure that the electronic signature creation environment is trusted and used under the sole control of the signatory. In the case of a qualified electronic signature created by means of a remote electronic signature creation device, the requirements applicable to qualified trust service providers under this Regulation shall apply.
(53)
Suspension of qualified certificates is an established operational practice of trust service providers in a number of Member States, distinct from revocation and entailing the temporary loss of validity of a certificate. Legal certainty requires that the suspension of a certificate must always be clearly indicated. To this end, trust service providers should be responsible for clearly indicating the status of the certificate and, if suspended, the precise period for which it has been suspended. This Regulation should not impose on trust service providers and Member States the use of suspension, but should provide for transparency rules where and when this practice is possible.
(54)
Cross-border interoperability and recognition of qualified certificates is a prerequisite for cross-border recognition of qualified electronic signatures. Therefore, qualified certificates should not be subject to any mandatory requirements that go beyond the requirements laid down in this Regulation. However, the inclusion of specific attributes, for example unique identifiers, in qualified certificates should be allowed at national level, provided that such specific attributes do not compromise the interoperability and cross-border recognition of qualified certificates and qualified electronic signatures.
(55)
IT security certification based on international standards (such as ISO 15408 and related assessment methods and mutual recognition agreements) is an important tool for verifying the security of qualified e-signature creation devices and should be encouraged. However, innovative solutions and services (such as mobile signature, cloud signature, etc.) are based on technical and organizational solutions of qualified e-signature creation devices for which security standards may not yet be available or for which the first IT security certification may be in progress. It should be possible to assess the security level of such qualified electronic signature creation devices by means of alternative processes only where security standards are not yet available or for which the first IT security certification may be in progress. Such processes should be comparable with IT security certification standards to the extent that security levels are equivalent. These processes may be facilitated by peer review.
(56)
This Regulation lays down requirements for qualified electronic signature creation devices in order to ensure the functionality of advanced electronic signatures. This Regulation should not cover the entire system environment in which such devices operate. The subject matter of the certification of qualified signature-creation devices should therefore be limited to the hardware and software used to manage and protect the signature-creation data created, stored or processed in the signature-creation device. As specified in the relevant standards, the scope of the certification obligation should exclude signature creation applications.
(57)
In order to provide legal certainty as to the validity of the signature, it is essential to detail which components of a qualified electronic signature are to be assessed by the validating user party. On the other hand, specifying the requirements for qualified trust service providers that can provide a qualified validation service to user parties unwilling or unable to perform the validation of qualified electronic signatures themselves should encourage the private and public sectors to invest in such services. Both elements should contribute to making the validation of qualified electronic signatures easy and convenient for all parties at the Union level.
(58)
Where a transaction requires a qualified electronic seal of a legal person, a qualified electronic signature of the authorized representative of the legal person should be equally acceptable.
(59)
Electronic seals should serve as proof that an electronic document has been issued by a legal person, providing certainty as to the origin and integrity of the document.
(60)
Trust service providers issuing qualified certificates for electronic seals should put in place the necessary measures to be able to establish the identity of the natural person representing the legal person to whom the qualified certificate for electronic seals is delivered, where such identification is required at national level in the context of judicial or administrative proceedings.
(61)
This Regulation should ensure the long-term preservation of information, i.e. the legal validity of electronic signatures and electronic seals over extended periods of time, by ensuring that they can be validated independently of future developments in technology.
(62)
In order to ensure the security of qualified electronic time-stamp tokens, this Regulation should require the use of advanced electronic seals or advanced electronic signatures, or other equivalent methods. It is to be expected that innovation will lead to new technologies that ensure an equivalent level of security of time-stamp tokens. Whenever a method other than the advanced time stamp or advanced electronic signature is used, it should be up to the qualified trust service provider to demonstrate, in the conformity assessment report, that such method ensures an equivalent level of security and complies with the obligations laid down in this Regulation.
(63)
Electronic documents are important for the further development of cross-border electronic transactions in the internal market. This Regulation should establish the principle that an electronic document should not be denied legal effect solely on the grounds that it is in electronic form in order to ensure that an electronic transaction is not rejected solely on the grounds that the document is in electronic form.
(64)
When considering advanced electronic signature and seal formats, the Commission should rely on existing practices, rules and regulations, and in particular Commission Decision 2011/130/EU (11).
(65)
In addition to authenticating the document issued by the legal person, electronic seals may be used to authenticate any digital assets of the legal person, for example, software or servers.
(66)
It is essential to provide a legal framework to facilitate cross-border recognition between existing national legal systems related to certified electronic delivery services. Such a framework may also open up new market opportunities for trusted service providers in the Union to offer new pan-European electronic registered delivery services.
(67)
Website authentication services provide a means by which a person visiting a website can be assured that there is an authentic and legitimate entity behind the existence of the website. These services help to build trust and confidence in the conduct of online business transactions, as users will rely on a website that has been authenticated. The provision and use of website authentication services is entirely voluntary. However, in order for website authentication to become a means of enhancing trust, providing a better user experience and fostering growth in the internal market, this Regulation should establish minimum security and liability obligations for providers and the services they provide. To this end, the results of leading industry-led initiatives (e.g. the CA/B Forum of Certification Authorities and Browsers) have been taken into account. Moreover, this Regulation should not preclude the use of other means or methods of authentication of a website that are not covered by this Regulation, nor should it prevent authentication providers of third-country websites from providing their services to customers located in the Union. However, website authentication services of a provider from a third country shall only be recognized as qualified services in accordance with this Regulation where an international agreement has been concluded between the Union and the country of establishment of the provider.
(68)
In accordance with the provisions of the Treaty on the Functioning of the European Union (TFEU) on establishment, the concept of “legal persons” allows operators to freely choose the legal form they consider appropriate for the conduct of their activities. Therefore, “legal persons” within the meaning of the TFEU include all entities incorporated under, or governed by, the law of a Member State, irrespective of their legal form.
(69)
The institutions, bodies, offices and agencies of the European Union are encouraged to recognize the electronic identification and trust services covered by this Regulation for the purposes of administrative cooperation, building in particular on existing good practices and the results of ongoing projects in the areas covered by this Regulation.
(70)
In order to supplement certain specific technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the criteria to be met by bodies responsible for the certification of qualified electronic signature creation devices. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
(71)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission in particular to specify the reference numbers of standards the use of which would give a presumption of compliance with certain requirements laid down in this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (12).
(72)
When adopting delegated or implementing acts, the Commission should take due account of technical standards and specifications developed by European and international standardisation organisations and bodies, in particular the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the International Organisation for Standardisation (ISO) and the International Telecommunications Union (ITU), with a view to ensuring a high level of security and interoperability of electronic identification and trust services.
(73)
For reasons of legal certainty and clarity, Directive 1999/93/EC should be repealed.
(74)
In order to provide legal certainty for market operators already using qualified certificates issued to natural persons in accordance with Directive 1999/93/EC, it is necessary to provide for a sufficient transition period. Similarly, transitional measures should be provided for secure signature-creation devices, the conformity of which has been determined in accordance with Directive 1999/93/EC, as well as for certification service providers issuing qualified certificates before 1 July 2016. Finally, it is also necessary to provide the Commission with the necessary means to adopt implementing acts and delegated acts before that date.
(75)
The implementation dates provided for in this Regulation should not prevent Member States from complying with their existing obligations under Union law, in particular Directive 2006/123/EC.
(76)
Since the objective of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the scale of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in the same Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(77)
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (13) and delivered an opinion on 27 September 2012 (14).
HAVE ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
With the objective of ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services, this Regulation:
a)
lays down the conditions under which Member States shall recognize the electronic identification means of natural and legal persons belonging to a notified electronic identification scheme of another Member State,
b)
lays down rules for trust services, in particular for electronic transactions; and
c)
establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, certified electronic delivery services and certificate services for website authentication.
Article 2
Scope of application
1. This Regulation applies to electronic identification schemes notified by Member States and to trust service providers established in the Union.
2. This Regulation does not apply to the provision of trust services used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.
3. This Regulation does not affect national or Union law relating to the conclusion and validity of contracts or other legal or procedural obligations relating to form.
Article 3
Definitions
For the purposes of these Regulations, the following definitions shall apply:
1)
“electronic identification” means the process of using a person’s identification data in electronic form that uniquely represents a natural or legal person or a natural person representing a legal person;
2)
“electronic identification means”, a tangible and/or intangible unit containing a person’s identification data that is used for authentication in online services;
3)
“person identification data”, a set of data that makes it possible to establish the identity of a natural or legal person, or of a natural person representing a legal person;
4)
“electronic identification system” means a scheme for electronic identification under which electronic identification means are issued to natural or legal persons or to a natural person representing a legal person;
5)
“authentication” means an electronic process that makes possible the electronic identification of a natural or legal person, or of the origin and integrity of data in electronic form;
6)
“user party” means the natural or legal person who relies on the electronic identification or trust service;
7)
“public sector body” means state, regional or local authorities, bodies governed by public law and associations formed by one or more of these authorities or one or more of these bodies governed by public law, or private entities mandated by at least one of these authorities, bodies or associations to provide public services acting in that capacity;
8)
“body governed by public law” means as defined in Article 2(1)(4) of Directive 2014/24/EU of the European Parliament and of the Council (15);
9)
“signatory” means a natural person who creates an electronic signature;
10)
“electronic signature” means data in electronic form attached to or logically associated with other electronic data that is used by the signatory to sign;
11)
“advanced electronic signature” means an electronic signature that meets the requirements referred to in Article 26;
12)
“qualified electronic signature” means an advanced electronic signature that is created by means of a qualified electronic signature creation device and that is based on a qualified electronic signature certificate;
13)
“electronic signature creation data” means the unique data used by the signatory to create an electronic signature;
14)
“electronic signature certificate” means an electronic statement that links the validation data of a signature to a natural person and confirms at least the name or pseudonym of that person;
15)
“qualified electronic signature certificate” means an electronic signature certificate that has been issued by a qualified trust service provider and meets the requirements set out in Annex I;
16)
“trust service” means an electronic service usually provided for remuneration, consisting of:
a)
the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, certified electronic delivery services and certificates relating to these services; or
b)
the creation, verification and validation of certificates for the authentication of websites,
c)
the preservation of electronic signatures, seals or certificates relating to these services;
17)
“qualified trust service” means a trust service that complies with the applicable requirements set out in this Regulation;
18)
“conformity assessment body” means a body as defined in point 13 of Article 2 of Regulation (EC) No 765/2008 whose competence to perform a conformity assessment of a qualified trust service provider and the qualified trust services provided by it is accredited under that Regulation;
19)
“trust service provider” means a natural or legal person who provides one or more trust services, either as a qualified trust service provider or as an unqualified trust service provider;
20)
“qualified trust service provider” means a trust service provider who provides one or more qualified trust services and has been granted qualification by the supervisory body;
21)
“product”, a computer hardware or software, or the relevant components thereof, intended to be used for the provision of trust services; 21) “product”, a computer hardware or software, or the relevant components thereof, intended to be used for the provision of trust services;
22)
“electronic signature creation device” means configured hardware or software used to create an electronic signature;
23)
“qualified electronic signature creation device” means an electronic signature creation device that meets the requirements listed in Annex II;
Artículo 33
Servicio de validación cualificado de firmas electrónicas cualificadas
1. Solo podrá prestar un servicio de validación cualificado de firmas electrónicas cualificadas el prestador cualificado de servicios de confianza que:
a)
realice la validación de conformidad con el artículo 32, apartado 1, y
b)
permita que las partes usuarias reciban el resultado del proceso de validación de una manera automatizada que sea fiable, eficiente e incluya la firma electrónica avanzada o el sello electrónico avanzado del prestador cualificado de servicio de validación.
2. La Comisión podrá, mediante actos de ejecución, establecer números de referencia de normas relativas al servicio de validación cualificado a que se refiere el apartado 1. Se presumirá el cumplimiento de los requisitos establecidos en el apartado 1 cuando la validación de una firma electrónica cualificada se ajuste a dichas normas. Estos actos de ejecución se adoptarán con arreglo al procedimiento de examen contemplado en el artículo 48, apartado 2.
Artículo 34
Servicio cualificado de conservación de firmas electrónicas cualificadas
1. Solo podrá prestar un servicio cualificado de conservación de firmas electrónicas cualificadas el prestador cualificado de servicios de confianza que utilice procedimientos y tecnologías capaces de ampliar la fiabilidad de los datos de la firma electrónica cualificada más allá del período de validez tecnológico.
2. La Comisión podrá, mediante actos de ejecución, establecer números de referencia de normas relativas al servicio cualificado de conservación de firmas electrónicas cualificadas. Se presumirá el cumplimiento de los requisitos establecidos en el apartado 1 cuando los mecanismos del servicio cualificado de conservación de firmas electrónicas cualificadas se ajusten a dichas normas. Estos actos de ejecución se adoptarán con arreglo al procedimiento de examen contemplado en el artículo 48, apartado 2.
SECCIÓN 5
Sellos electrónicos
Article 35
Legal effect of an electronic seal
An electronic seal shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements of a qualified electronic seal.
2. A qualified electronic seal shall enjoy the presumption of integrity of the data and the correctness of the origin of the data to which the qualified electronic seal is linked.
3. A qualified electronic seal based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic seal in all other Member States.
Article 36 Requirements for advanced electronic seals
Requirements for advanced electronic seals
An advanced electronic seal shall meet the following requirements:
a)
be uniquely linked to the originator of the seal;
b)
allow for the identification of the creator of the seal;
c)
have been created using electronic seal creation data that the seal creator can use for the creation of an electronic seal, with a high level of confidence, under his exclusive control; and
d)
be linked to the data to which it refers in such a way that any subsequent modification thereof is detectable.
Article 37
Electronic seals in public services
If a Member State requires an advanced electronic seal for the purpose of using an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic seals, advanced electronic seals based on a qualified certificate for electronic seals and qualified electronic seals at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.
If a Member State requires an advanced electronic seal based on a qualified certificate in order to use an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic seals based on a qualified certificate and qualified electronic seals at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.
3. Member States shall not require, for cross-border use in an online service offered by a public sector body, an electronic seal whose security level is higher than that of a qualified electronic seal.
4. The Commission may, by means of implementing acts, establish reference numbers of standards for advanced electronic seals. Compliance with the requirements for advanced electronic seals referred to in paragraphs 1 and 2 of this Article and in Article 36 shall be presumed where an advanced electronic seal complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
5. By 18 September 2015, and taking into account existing practices, Union standards and legal acts, the Commission shall adopt implementing acts defining the reference formats for advanced electronic seals or reference methods where alternative formats are used. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 38
Qualified certificates of electronic seal
1. Qualified certificates of electronic seal shall meet the requirements set forth in Annex III.
2. Qualified certificates for electronic seals shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III.
3. Qualified certificates for electronic seals may include specific additional non-mandatory attributes. Such attributes shall not affect the interoperability and recognition of qualified electronic seals.
4. If a qualified certificate of electronic seal has been revoked after its initial activation, it shall lose its validity from the moment of its revocation and shall under no circumstances be able to recover its status.
5. Subject to the conditions set out below, Member States may lay down national rules on the temporary suspension of qualified certificates for electronic seals:
a)
If a qualified certificate for electronic seal has been temporarily suspended, that certificate shall lose its validity during the period of suspension.
b)
The period of suspension shall be clearly indicated in the certificate database and the suspension status shall be visible, during the period of suspension, from the service providing the certificate status information.
6. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements set out in Annex III shall be presumed where a qualified certificate for electronic seal complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 39
Qualified electronic seal creation devices
1. Article 29 shall apply mutatis mutandis to the requirements for qualified electronic seal creation devices.
2. Article 30 shall apply mutatis mutandis to the certification of qualified electronic seal creation devices.
3. Article 31 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal creation devices.
Article 40
Validation and preservation of qualified electronic seals
Articles 32, 33 and 34 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals.
SECTION 6
Electronic time stamp
Article 41
Legal effect of electronic time stamps
An electronic time stamp shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements of a qualified electronic time stamp.
2. Qualified electronic time stamps shall enjoy a presumption of accuracy of the date and time they indicate and of the integrity of the data to which the date and time are linked.
3. A qualified electronic time stamp issued in one Member State shall be recognized as a qualified electronic time stamp in all Member States.
Article 42
Requirements for qualified electronic time stamps
1. A qualified electronic time stamp shall meet the following requirements:
a)
link the date and time to the data in such a way as to reasonably eliminate the possibility of changing the data without detection;
b)
(b) be based on a source of time information linked to Coordinated Universal Time; and
c)
have been signed by use of an advanced electronic signature or stamped with an advanced electronic seal of the qualified trust service provider or by any equivalent method.
2. The Commission may, by means of implementing acts, establish reference numbers of standards relating to the linkage of date and time to data and to an accurate time source of information. Compliance with the requirements laid down in paragraph 1 shall be presumed where the linkage of the date and time to the data and the source of accurate time information complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
SECTION 7
Certified electronic delivery service
Article 43
Legal effect of a certified electronic delivery service
Data sent and received by means of a certified electronic delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that they are in electronic form or do not meet the requirements of a qualified certified electronic delivery service.
2. Data sent and received through a qualified electronic certified delivery service shall enjoy the presumption of the integrity of the data, the sending of such data by the identified sender, the receipt by the identified recipient, and the accuracy of the date and time of sending and receipt of the data as indicated by the qualified electronic certified delivery service.
Article 44
Requirements for qualified electronic registered delivery services
1. Qualified electronic certified delivery services shall comply with the following requirements:
a)
(a) be provided by one or more qualified trust service providers;
b)
(b) ensure with a high level of reliability the identification of the sender;
c)
guarantee the identification of the recipient prior to the delivery of the data;
d)
be protected sending and receiving data by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a way as to prevent the possibility of undetected modification of the data;
e)
clearly indicate to the sender and recipient of the data any changes to the data required for the purpose of sending or receiving the data;
f)
indicate by means of a qualified electronic time stamp the date and time of sending, receiving and any modification of the data.
In case the data are transferred between two or more qualified trust service providers, the requirements set forth in letters a) to f) shall apply to all qualified trust service providers.
2. The Commission may, by means of implementing acts, establish reference numbers of standards relating to the processes of sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process of sending and receiving data complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
SECTION 8
Authentication of websites
Article 45
Requirements for qualified certificates for website authentication
1. Qualified certificates for website authentication shall comply with the requirements set out in Annex IV.
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements set out in Annex IV shall be presumed where a qualified website authentication certificate complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
CHAPTER IV
ELECTRONIC DOCUMENTS
Article 46 Legal effects of electronic documents
Legal effects of electronic documents
An electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form.
CHAPTER V
DELEGATION OF POWERS AND IMPLEMENTING PROVISIONS
Article 47
Exercise of the delegation
The Commission is empowered to adopt delegated acts subject to the conditions laid down in this Article.
2. The power to adopt the delegated acts referred to in Article 30(4) shall be conferred on the Commission for an indeterminate period of time not later than 17 September 2014.
3. The delegation of power referred to in Article 30(4) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of the powers specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Article 30(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. The period shall be extended by two months at the initiative of the European Parliament or the Council.
Article 48
Committee procedure
1. The Commission shall be assisted by a committee. The committee shall be in accordance with Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
CHAPTER VI
FINAL PROVISIONS
Article 49
Review
The Commission shall review the application of this Regulation and report to the European Parliament and the Council by 1 July 2020. The Commission shall in particular assess whether it is appropriate to amend the scope of this Regulation or its specific provisions, including Articles 6, 7(f), 34, 43, 44 and 45, taking into account the experience gained in the application of this Regulation, as well as technological, market and legal developments.
The report referred to in the first subparagraph shall be accompanied, if necessary, by legislative proposals.
The Commission shall also submit a report to the European Parliament and the Council every four years following the report referred to in the first subparagraph on progress towards achieving the objectives of this Regulation.
Article 50
Repeal
Directive 1999/93/EC shall be repealed with effect from 1 July 2016.
2. References to the repealed Directive shall be construed as references to this Regulation.
Article 50
Repeal
Directive 1999/93/EC is hereby repealed with effect from 1 July 2016.
2. References to the repealed Directive shall be construed as references to this Regulation.
Article 51
Transitional Measures
1. Secure signature-creation devices whose compliance has been determined in accordance with Article 3(4) of Directive 1999/93/EC shall be considered as qualified electronic signature creation devices within the meaning of this Regulation.
2. Qualified certificates issued to natural persons in accordance with Directive 1999/93/EC shall be considered qualified certificates for electronic signatures within the meaning of this Regulation until they expire.
3. A certification-service-provider issuing qualified certificates in accordance with Directive 1999/93/EC shall submit a conformity assessment report to the supervisory body as soon as possible but not later than 1 July 2017. Until the certification-service-provider submits such a conformity assessment report and the supervisory body completes its analysis, that certification-service-provider shall be considered, under this Regulation, as a qualified trust service provider.
4. If a certification-service-provider issuing qualified certificates in accordance with Directive 1999/93/EC fails to submit a conformity assessment report to the supervisory body within the deadline referred to in paragraph 3, that certification-service-provider may not be considered, under this Regulation, as a qualified trust service provider as from 2 July 2017.
Article 52
Entry into force
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. This Regulation shall apply from 1 July 2016, with the exception of the following provisions:
a)
Articles 8(3), 9(5), 12(2) to (9), 17(8), 19(4), 20(4), 21(4), 22(5), 23(3), 24(5), 27(4) and (5), 28(6), 29(2), 30, paragraphs 3 and 4, 31, paragraph 3, 32, paragraph 3, 33, paragraph 2, 34, paragraph 2, 37, paragraphs 4 and 5, 38, paragraph 6, 42, paragraph 2, 44, paragraph 2, 45, paragraph 2, and Articles 47 and 48 shall apply as of September 17, 2014;
b)
Articles 7, 8(1) and (2), 9, 10, 11 and 12(1) shall apply from the date of application of the implementing acts provided for in Articles 8(3) and 12(8);
c)
Article 6 shall apply from three years after the date of application of the implementing acts referred to in Articles 8(3) and 12(8).
3. Where the notified electronic identification scheme is included in the list published by the Commission pursuant to Article 9 before the date referred to in paragraph 2(c) of this Article, the recognition of electronic identification means issued under that scheme pursuant to Article 6 shall be carried out at the latest 12 months after the publication of that scheme, but not before the date referred to in paragraph 2(c) of this Article.
4. By way of derogation from paragraph 2(c) of this Article, a Member State may decide that the means of electronic identification under the electronic identification scheme notified in accordance with Article 9(1) by another Member State shall be recognized in the first Member State as from the date of application of the implementing acts provided for in Articles 8(3) and 12(8). The Commission shall make that information publicly available.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 23 July 2014.
For the Parliament
The President
M. SCHULZ
For the Council
The President
S. GOZI
(1) OJ C 351, 15.11.2012, p. 73.
(2) Position of the European Parliament and of the Council of 3 April 2014 (not yet published in the Official Journal) and Council Decision of 23 July 2014.
(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13, 19.1.2000, p. 12).
(4) OJ C 50, 21.2.2012, p. 1.
(5) Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376, 27.12.2006, p. 36).
(6) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
(7) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
(8) Council Decision 2010/48/EC of 26 November 2009 concerning the conclusion, by the European Community, of the United Nations Convention on the Rights of Persons with Disabilities (OJ L 23, 27.1.2010, p. 35).
(9) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
(10) Commission Decision 2009/767/EC of 16 October 2009 adopting measures facilitating the use of procedures by electronic means through the points of single contact under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 274, 20.10.2009, p. 36).
(11) Commission Decision 2011/130/EU of 25 February 2011 laying down minimum requirements for cross-border processing of electronically signed documents by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 53, 26.2.2011, p. 66).
(12) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(13) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(14) OJ C 28, 30.1.2013, p. 6.
(15) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).
ANNEX I
REQUIREMENTS FOR QUALIFIED CERTIFICATES OF ELECTRONIC SIGNATURE
The qualified certificates of electronic signature shall contain:
a)
an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified certificate for electronic signatures;
b)
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established; and
–
for legal persons: the name and, where applicable, the registration number as recorded in the official registers,
–
for natural persons, the name of the person;
c)
at least the name of the signatory or a pseudonym; if a pseudonym is used, it shall be clearly indicated;
d)
validation data of the electronic signature corresponding to the creation data of the electronic signature;
e)
data relating to the beginning and end of the period of validity of the certificate;
f)
the identity code of the certificate, which must be unique for the qualified trust service provider;
g)
the advanced electronic signature or the advanced electronic seal of the issuing trust service provider;
h)
the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is freely available;
i)
the location of the services that can be used to consult the validity status of the qualified certificate;
j)
where the electronic signature creation data related to the electronic signature validation data are contained in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automatic processing.
ANNEX II
REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE CREATION DEVICES
1.
Qualified electronic signature creation devices shall ensure at least by appropriate technical and procedural means that:
a)
(a) the confidentiality of the electronic signature creation data used for the creation of electronic signatures is reasonably assured;
b)
the electronic signature creation data used for the creation of electronic signatures can only appear once in practice;
c)
there is reasonable assurance that the electronic signature creation data used for the creation of electronic signatures cannot be found by deduction and that the signature is securely protected against forgery by means of currently available technology; c) the electronic signature creation data used for the creation of electronic signatures cannot be found by deduction and that the signature is securely protected against forgery by means of currently available technology;
d)
the electronic signature creation data used for the creation of electronic signatures can be reliably protected by the legitimate signatory against use by others.
2.
Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being displayed to the signatory prior to signing.
3.
The generation or management of the electronic signature creation data on behalf of the signatory may only be performed by a qualified trust service provider.
4.
Without prejudice to point 1(d), qualified trust service providers managing the electronic signature creation data on behalf of the signatory may duplicate the signature creation data only for the purpose of backing up the electronic signature creation data provided that the following requirements are met:
a)
the security of the duplicate data sets is of the same level as for the original data sets;
b)
the number of duplicate data sets does not exceed the minimum necessary to ensure continuity of service.
ANNEX III
REQUIREMENTS OF THE QUALIFIED CERTIFICATES OF ELECTRONIC SEAL
The qualified certificates of electronic seal shall contain:
a)
an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified certificate for electronic seal;
b)
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established, and
–
for legal persons: the name and, where applicable, the registration number as recorded in the official registers,
–
for natural persons, the name of the person;
c)
at least the name of the creator of the seal and, where applicable, the registration number, as recorded in the official registers;
d)
the validation data of the electronic seal corresponding to the data of creation of the electronic seal;
e)
the data relating to the beginning and end of the period of validity of the certificate;
f)
the identity code of the certificate, which must be unique for the qualified trust service provider;
g)
the advanced electronic signature or the advanced electronic seal of the issuing trust service provider;
h)
the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is freely available;
i)
the location of the services that can be used to consult the validity status of the qualified certificate;
j)
where the electronic seal creation data related to the electronic seal validation data are contained in a qualified electronic seal creation device, an appropriate indication of this, at least in a form suitable for automatic processing.
ANNEX IV
REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR WEBSITE AUTHENTICATION
Qualified website authentication certificates shall contain:
a)
an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified website authentication certificate;
b)
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established; and
–
for legal persons: the name and, where applicable, the registration number as recorded in the official registers,
–
for natural persons, the name of the person;
c)
for natural persons: at least the name of the person to whom the certificate is issued, or a pseudonym; if a pseudonym is used, it shall be clearly indicated.
for legal persons: at least the name of the legal person to whom the certificate is issued and, where appropriate, the registration number, as recorded in the official registers.
d)
elements of the address, including at least the city and state, of the natural or legal person to whom the certificate is issued, and, where applicable, as recorded in official records.
e)
the domain name or names operated by the natural or legal person to whom the certificate is issued.
f)
the data relating to the beginning and end of the period of validity of the certificate.
g)
the identity code of the certificate, which must be unique for the qualified trust service provider.
h)
the advanced electronic signature or advanced electronic seal of the issuing trust service provider.
i)
the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in the letter is freely available.
j)
the location of the services that can be used to consult the validity status of the qualified certificate.